141edb306SCy SchubertConfiguring IP Filter for firewall usage. 241edb306SCy Schubert========================================= 341edb306SCy Schubert 441edb306SCy SchubertStep 1 - Block out "bad" IP packets. 541edb306SCy Schubert------------------------------------ 641edb306SCy Schubert 741edb306SCy SchubertRun the perl script "mkfilters". This will generate a list of blocking 841edb306SCy Schubertrules which: 941edb306SCy Schubert a) blocks all packets which might belong to an IP Spoofing attack; 1041edb306SCy Schubert b) blocks all packets with IP options; 1141edb306SCy Schubert c) blocks all packets which have a length which is too short for 1241edb306SCy Schubert any legal packet; 1341edb306SCy Schubert 1441edb306SCy SchubertStep 2 - Convert Network Security Policy to filter rules. 1541edb306SCy Schubert--------------------------------------------------------- 1641edb306SCy Schubert 1741edb306SCy SchubertDraw up a list of which services you want to allow users to use on the 1841edb306SCy SchubertInternet (e.g. WWW, ftp, etc). Draw up a separate list for what you 1941edb306SCy Schubertwant each host that is part of your firewall to be allowed to do, including 2041edb306SCy Schubertcommunication with internal hosts. 2141edb306SCy Schubert 2241edb306SCy SchubertStep 3 - Create TCP "keep state" rules. 2341edb306SCy Schubert--------------------------------------- 2441edb306SCy Schubert 2541edb306SCy SchubertFor each service that uses TCP, create a rule as follows: 2641edb306SCy Schubert 2741edb306SCy Schubertpass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state 2841edb306SCy Schubert 2941edb306SCy Schubertwhere 3041edb306SCy Schubert* "int-a" is the internal interface of the firewall. That is, it is the 3141edb306SCy Schubert closest to your internal network in terms of network hops. 3241edb306SCy Schubert 3341edb306SCy Schubert* "int-net" is the internal network IP# subnet address range. This might 3441edb306SCy Schubert be something like 10.1.0.0/16, or 128.33.1.0/24 3541edb306SCy Schubert 3641edb306SCy Schubert* "ext-service" is the service to which you wish to connect or if it doesn't 3741edb306SCy Schubert have a proper name, a number can be used. The translation of "ext-service" 3841edb306SCy Schubert as a name to a number is controlled with the /etc/services file. 3941edb306SCy Schubert 40